What is GHSA-vpfx-pxqw-2w79?

GHSA-vpfx-pxqw-2w79 is a security advisory published by GitHub Security Advisories with Medium severity. AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`

Which CVE IDs does GHSA-vpfx-pxqw-2w79 cover?

GHSA-vpfx-pxqw-2w79 covers the following CVE IDs: CVE-2026-45620. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-vpfx-pxqw-2w79?

GHSA-vpfx-pxqw-2w79 has a CVSS v3 base score of 5.3, published by GitHub Security Advisories.

Which products are affected by GHSA-vpfx-pxqw-2w79?

GHSA-vpfx-pxqw-2w79 affects 1 product, including: composer/WWBN/AVideo:\u003c= 29.0.

GHSA-vpfx-pxqw-2w79MediumCVSS 5.3

AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`

Vendor

GitHub Security Advisories

Published

May 18, 2026

Last Modified

May 18, 2026

🔗 CVE IDs covered (1)

CVE-2026-45620 →

📋 Description

CVE-2026-43881 fix d9cdc7024 patched users.json.php only. The same anti-pattern survives at master HEAD in:

objects/mention.json.php:17     $ignoreAdmin = true;
objects/mention.json.php:18     $users = User::getAllUsers($ignoreAdmin,
                                    ['name', 'email', 'user', 'channelName'], 'a');

No User::loginCheck(), no admin gate. Only entry guard: preg_match('/^@/', $_REQUEST['term']) and hard-coded rowCount=10.

🎯 Affected products1

composer/WWBN/AVideo:<= 29.0

🔗 References (3)

https://github.com/WWBN/AVideo/security/advisories/GHSA-vpfx-pxqw-2w79
https://github.com/advisories/GHSA-6rvw-7p8v-mjfq
https://github.com/advisories/GHSA-vpfx-pxqw-2w79